subagents-discipline
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): In SKILL.md, Rule 1 ('Look Before You Code') mandates reading actual data from external sources like APIs, databases, and config files. Rules 2 and 3 require executing code and tools to verify this data. There are no instructions for sanitizing this data or using boundary markers. An attacker who controls the data in the database or API can inject instructions that override the agent's logic or trick it into executing malicious test commands.
- Command Execution (MEDIUM): The skill promotes running subprocesses (curl, SQL, bd) for verification. When inputs to these commands are derived from untrusted external data (as Rule 1 suggests), it presents a risk of command injection or unauthorized actions if the agent does not properly escape or validate the data before tool use.
- Indirect Prompt Injection Evidence (Category 8):
- Ingestion points: API, database, file, and config (Rule 1).
- Boundary markers: Absent.
- Capability inventory: Subprocess calls (Rule 2), MCP tool usage, browser automation, and database inspection (Rule 3).
- Sanitization: Absent.
Recommendations
- AI detected serious security threats
Audit Metadata